Oh I do imagine they're always looking for the easiest targets.
But in the case of my guildie they must have had some kind of in-depth information about the system, as they were able to log on while the account was inactive, bypass his authenticator, and take more than the daily limit in both gold and item withdraws. Could he by lying about account activity and the authenticator? Maybe, but if he was capable of compromising/exploiting Blizz's systems (knowing him for 3 years, he's not) to be able to withdraw more than the daily limit, Blizz would have found evidence it was him and wouldn't have given his account back.
I was "hacked" once myself, back before authenticators, and when I used the same username/password for other services (which is how I suspect they got my info). They transferred one of my characters to a different server by bypassing the normal transfer process. When I got my account back there was no record that a transfer had been initiated through the paid transfer service (and they only had it for 3 hours so a GM ticket for a transfer couldn't have been answered in that time), but there my character was, naked on a server I had never played on. So sometimes they do exploit genuine flaws in the system, but how they come across these magical powers is not for me to know.
And yeah, hackers/exploiters will always be a thorn in the side of developers of sensitive systems, whether gaming or banking or government contracting. All I can really do is protect myself the best way I know how. I'll leave the battle of wits up to the professionals and the troublemakers.